OPEN VPN Works for some user and other nor



  • Hi there,

    I need your help in this case.
    Can't identify the source of this issue. It seem like the provider is blocking something but TCP and UDP connections are tested and work just fine.

    Here are the logs from the OPENVPN client when it's not working

    Tue Dec 31 12:08:42 2019 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
    Tue Dec 31 12:08:42 2019 Windows version 6.2 (Windows 8 or greater) 64bit
    Tue Dec 31 12:08:42 2019 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
    Enter Management Password:
    Tue Dec 31 12:08:54 2019 Control Channel Authentication: using 'X-udp-80-tls.key' as a OpenVPN static key file
    Tue Dec 31 12:08:54 2019 UDPv4 link local (bound): [undef]
    Tue Dec 31 12:08:54 2019 UDPv4 link remote: [AF_INET]X:80
    

    And here when it works

    Tue Dec 31 12:08:42 2019 OpenVPN 2.3.11 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on May 10 2016
    Tue Dec 31 12:08:42 2019 Windows version 6.2 (Windows 8 or greater) 64bit
    Tue Dec 31 12:08:42 2019 library versions: OpenSSL 1.0.1t  3 May 2016, LZO 2.09
    Enter Management Password:
    Tue Dec 31 12:08:54 2019 Control Channel Authentication: using 'X-udp-80-tls.key' as a OpenVPN static key file
    Tue Dec 31 12:08:54 2019 UDPv4 link local (bound): [undef]
    Tue Dec 31 12:08:54 2019 UDPv4 link remote: [AF_INET]X:80
    Tue Dec 31 12:08:54 2019 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
    Tue Dec 31 12:08:54 2019 [AMA_PFSIXN_srvcert] Peer Connection Initiated with [AF_INET]X:80
    Tue Dec 31 12:08:57 2019 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
    Tue Dec 31 12:08:57 2019 open_tun, tt->ipv6=0
    Tue Dec 31 12:08:57 2019 TAP-WIN32 device [Ethernet 2] opened: \\.\Global\{54B48507-1CE7-44F8-BCAD-1863C6C4FD26}.tap
    Tue Dec 31 12:08:57 2019 Set TAP-Windows TUN subnet mode network/local/netmask = X/X/255.255.255.0 [SUCCEEDED]
    Tue Dec 31 12:08:57 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of X/255.255.255.0 on interface {54B48507-1CE7-44F8-BCAD-1863C6C4FD26} [DHCP-serv: X, lease-time: 31536000]
    Tue Dec 31 12:08:57 2019 Successful ARP Flush on interface [49] {54B48507-1CE7-44F8-BCAD-1863C6C4FD26}
    Tue Dec 31 12:09:02 2019 Initialization Sequence Completed
    Tue Dec 31 12:09:02 2019 Start net commands...
    Tue Dec 31 12:09:02 2019 C:\Windows\system32\net.exe stop dnscache
    Tue Dec 31 12:09:02 2019 ERROR: Windows ipconfig command failed: returned error code 2
    Tue Dec 31 12:09:02 2019 C:\Windows\system32\net.exe start dnscache
    Tue Dec 31 12:09:02 2019 ERROR: Windows ipconfig command failed: returned error code 2
    Tue Dec 31 12:09:02 2019 C:\Windows\system32\ipconfig.exe /flushdns
    Tue Dec 31 12:09:02 2019 C:\Windows\system32\ipconfig.exe /registerdns
    Tue Dec 31 12:09:05 2019 End net commands...
    
    

    and here are the pcap files From the PFSense

    When it don't work

    wireshark

    When it does work

    wireshark

    A man need help.
    A man is In front of the wall.

    Regards

    Sangomab


  • LAYER 8 Rebel Alliance

    Uninstall your 4 year old OpenVPN 2.3.11, Reboot and install the latest OpenVPN 2.4.8

    -Rico



  • @Rico first thank you for your reply :)
    Is this can be the source of the issue or you see the version and that's all ?
    because in my position the upgrade of the openvpn will take time so ?? if it's a general issue for this version please send me logs of it. Perhaps find with me the logic in this logs ☺ 🙏


  • LAYER 8 Rebel Alliance

    Yes your Logs look like a possible client problem to me.
    We had a lot of issues with 2.3.X and Windows 10, since 2.4 everything is smooth.
    And because of the "interactive service" they use since OpenVPN 2.4 you definitely want it because your Users don't need admin rights (or any weird hacks) to run OpenVPN. Install it with admin rights and then it works just out of the Box for your users.

    -Rico



  • i return to you after the update of openvpn and the openvpn client explorer to the last version in PFsense.
    it's seen like the most of the issues are solved but i have some users with this error

    alt text

    something with the TLS Error
    i already googled it and i found this openvpn solution

    it's one of these issues:

    • A perimeter firewall: it's a home connection no firewalls or other network device ( no provider issue either cause i tested with mobile data and my own WAN provider )
    • A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 : it's directly using the PFSense interface for authentication and i have many others clients working
    • The OpenVPN client config does not have the correct server address : it's the right one
    • Another possible cause is that the windows firewall is blocking access: i disable it for test reason and that's the same

    Any idea about this issue
    thank you

    Sangomab



  • @Rico any idea ?


  • LAYER 8 Rebel Alliance

    Sniff traffic on the pfSense side to check if the client can even hit your OpenVPN server.

    -Rico


Log in to reply